NIS2 and IT Resilience: What the Directive Specifically Requires

The Resilience Requirements in Detail: Article 21 NIS2 #

Article 21(2) of the directive lists ten minimum cybersecurity risk management measures. National implementation acts mirror this list (in Germany, for example, in the amended BSIG). Three of the ten measures are directly resilience-focused:

1. Backup Management #

Requirement (Art. 21(2)©): business continuity, including backup management and disaster recovery.

What this means:

• You must perform regular backups; the frequency is not prescribed, but it must match your RPO targets
• Backups must be tested, not just ​“in place”
• At least one copy should be isolated from the production network; a purely online backup does not survive a competent ransomware attack
• Recovery capability must be demonstrable

Audit question: ​“Show me the backup policy. Show me the results of your last recovery test. Show me your RTO/RPO definitions.”

Resilience best practice:

• Online tier for fast restores plus an air-gapped tier for survival
• Quarterly recovery tests
• Documented RTO/RPO for critical systems

2. Business Continuity and Crisis Management #

Requirement (Art. 21(2)©): business continuity and crisis management.

What this means:

• You need a written Business Continuity Plan (BCP)
• The BCP must define crisis management processes
• RTO/RPO must be defined per critical process
• Emergency procedures must be documented and work even when IT systems are down

Audit question: ​“Show me your BCP. Who is the incident commander? How is senior management informed? What is your emergency communications plan?”

Resilience best practice:

• Written BCP with executive summary
• Business impact analysis conducted
• Roles and escalation paths documented
• BCP reviewed and tested annually

3. Incident Handling and Reporting #

Requirement (Art. 21(2)(b) and Art. 23): incident handling, plus the staged reporting obligation for significant incidents.

What this means:

• You must have an incident response plan
• You must send an early warning within 24 hours of becoming aware of a significant incident
• You must send an incident notification within 72 hours with an initial assessment
• You must submit a final report within one month
• Where personal data is affected, GDPR breach notification runs in parallel
• You must document how the incident was handled

Reporting in practice:

• Who reports? Define it in advance: typically security plus legal jointly
• To whom? The competent national authority or CSIRT (in Germany: the BSI) and, where personal data is affected, the data protection authority
• What? Basic facts first (affected systems, nature of the incident, suspected cause), detail follows in the later reports

Audit question: ​“Show me your incident response plan. Who are the IR team members? How do you meet the 24-hour deadline if your mail server is encrypted? Show me the documentation of a past incident or exercise.”

Resilience best practice:

• Written IR plan with defined roles
• Authority contacts and portal credentials documented in advance
• Notification templates prepared
• Past incidents and exercises documented

The Other Article 21 Measures #

The remaining measures are important but less directly tied to resilience:

• Policies on risk analysis and information system security
• Supply chain security (see the dedicated article)
• Security in acquisition, development, and maintenance, including vulnerability handling
• Procedures to assess the effectiveness of the measures
• Cyber hygiene and training
• Cryptography and encryption
• Access control, asset management, human resources security
• Multi-factor authentication and secured communications

NIS2 Resilience Audit: 8‑Point Checklist #

When a supervisory authority audits your organisation, expect these questions. For each, the right answer is a document with a date on it:

1. Do you have documented RTO/RPO targets for critical systems? (Evidence: BCP, BIA)
2. Do you perform regular backups and test them? (Evidence: backup policy, test reports)
3. Is at least one backup copy isolated from the production network? (Evidence: documented air gap setup)
4. Do you have a written Business Continuity Plan? (Evidence: BCP document with revision date)
5. Do you have an incident response plan with defined roles? (Evidence: IR plan, team list, escalation paths)
6. How do you report significant incidents within 24 hours? (Evidence: reporting process, authority contacts, template)
7. Do you have a crisis management process? (Evidence: governance structure, crisis team)
8. Do you document recovery tests and their results? (Evidence: test reports, measured restore times, findings)

If you can demonstrate all eight, you are in a strong position. If several are missing, expect binding remediation instructions, and in case of persistent gaps, fines.

Who Is Subject to NIS2? #

In short (the dedicated NIS2 overview article covers this in depth):

• Essential entities: large organisations (typically 250+ employees or more than EUR 50 million turnover) in high-criticality sectors such as energy, transport, banking, health, water, and digital infrastructure, plus some entities regardless of size
• Important entities: medium-sized organisations (typically 50+ employees or more than EUR 10 million turnover) in those sectors plus sectors such as postal services, waste, chemicals, food, manufacturing, and digital providers
• Public administration: coverage of regional and local government varies by member state

Fines and Consequences #

Administrative fines:

• Essential entities: up to EUR 10 million or 2% of global annual turnover, whichever is higher
• Important entities: up to EUR 7 million or 1.4% of global annual turnover, whichever is higher

Management liability:

• Management must approve and oversee the risk management measures. If an incident reveals that this duty was breached, executives can be held personally liable towards the company under national corporate law

Market consequences:

• Large customers increasingly require NIS2 compliance from suppliers
• Insurers raise premiums or refuse cover without evidence of tested backups and isolation
• Reputational damage after a public incident

Implementation Roadmap #

If you are starting now (and in mid-2026, many organisations still are), a realistic sequence for a mid-sized organisation:

Phase 1 (month 1 to 2):

• Conduct a business impact analysis
• Define RTO/RPO targets
• Write the incident response plan with the 24h/​72h/​1‑month deadlines built in

Phase 2 (month 3 to 5):

• Write the Business Continuity Plan
• Review the backup strategy
• Implement an air-gapped backup tier if not already in place

Phase 3 (month 6 to 8):

• Conduct recovery tests (tabletop plus partial restore)
• Train the IR team and management
• Prepare the evidence package for an audit

Phase 4 (month 9):

• Conduct a full restore test
• Be audit-ready
• Start the continuous improvement cycle

Frequently Asked Questions #

Is NIS2 only applicable in Germany? No. NIS2 is an EU directive and applies in all member states through national implementation acts. Germany’s act is the NIS2UmsuCG; other countries have equivalents.

What is the deadline for NIS2 compliance? The EU transposition deadline was 17 October 2024. National acts are in force (Germany: since 6 December 2025, with no general transition period). In Germany, registration with the BSI was due by 6 March 2026. If you are in scope and not yet compliant, the obligation already applies to you.

Who monitors compliance? The competent national authority in each member state (in Germany: the BSI, alongside sector regulators). Essential entities face proactive supervision, important entities are supervised after the fact.

---

Further Resources #

→ IT Resilience Guide (/en/blog/it-resilienz-leitfaden/) → NIS2 Explained: Who Is Affected and What Do You Need to Do? (/en/blog/nis2-einfach-erklaert/) → NIS2 Audit Preparation: Checklist for IT Managers (/en/blog/audit-preparation-nis2-checklist/) → Incident Response Plan Template (/en/blog/incident-response-plan-vorlage/) → Business Continuity Plan Guide (/en/blog/business-continuity-plan-leitfaden/)